WooCommerce VPS Bot Attacks — The Hidden Cause of Slowness

WooCommerce VPS Bot Attacks — The Hidden Cause of Slowness

If you run a WooCommerce site on a VPS, there’s a good chance you’ve blamed slow performance on the hosting itself. But in many cases, the real culprit is WooCommerce VPS bot attacks. I ran my VPS for weeks without realising it was being hammered day and night by thousands of bots, chewing through CPU and memory while giving me the impression that my server was overloaded. In reality, my customers weren’t the problem — the bots were.

The Hidden Enemy: Bots

It only took a few weeks of running my WooCommerce VPS before I noticed the server looked busier than it should. What I didn’t know at the time was that WooCommerce VPS bot attacks were happening constantly in the background. Bots hammer login pages like /wp-login.php and /xmlrpc.php, as well as SSH and other ports, all day and night. None of this traffic is legitimate, but every hit consumes CPU, RAM, and sometimes disk.

Here’s the trap many VPS owners fall into: they see a sluggish server and assume they need to upgrade to more RAM or more CPU. The reality? That upgrade just gives the bots more resources to waste — making your server better for the bots, not your customers. The real fix is to recognise and stop the attacks in the first place.

CSF and LFD — The First Line of Defence

Every system on the internet suffers from bots — whether it’s WooCommerce, Shopify, Magento, or any other platform. Bots don’t discriminate. They crawl login pages, scan ports, and look for weaknesses everywhere. The difference is that when you’re running WooCommerce on your own VPS, you have total control over how you defend against them. That means you can configure powerful tools like CSF and LFD to stop attacks before they cause trouble.

• CSF is the firewall. It blocks unwanted traffic, enforces port rules, and keeps bad connections out.
• LFD is the watchdog. It monitors server logs for repeated failures or suspicious patterns and automatically tells CSF to block the source IP.

The result is that your VPS quietly builds a deny list in the background. In my case, after only a few weeks, there were already more than 2000 blocked IPs. That’s how relentless WooCommerce VPS bot attacks really are — and why using CSF and LFD properly is far more effective than simply upgrading your VPS hardware.

Why IPSET Makes the Difference

Firewalls like CSF work well, but there’s a limit. Traditional iptables firewalls slow down when you have thousands of blocked IPs because every new packet has to be checked line by line. On a busy VPS, that’s wasted effort. This is where IPSET comes in.

IPSET stores blocked IPs in kernel hash tables instead of long lists. That means your server can check and drop traffic in microseconds, even with tens of thousands of entries. It’s faster, more efficient, and scales as bot traffic grows. Shopify, Magento, or SaaS-based systems also suffer from bot hits, but on your own VPS with WooCommerce you have the control to deploy IPSET yourself. That control makes the difference between a server weighed down by attackers and one that runs smoothly for your customers.

When I enabled IPSET on my WooCommerce VPS, the results were immediate. CPU load dropped into a comfortable 0.5–1.0 range on six cores, memory use stabilised, and swap cleared after a reboot. The server finally behaved the way I expected when I first signed up for it.

The Before & After Numbers

Before tackling the bots, we’d already done a lot of VPS optimisation work. We synchronised cron jobs so they didn’t collide, tuned MySQL for WooCommerce queries, and optimised PHP-FPM pools for each site. Those changes definitely helped smooth out resource usage. But the big picture problem remained: server load was still far higher than it should have been.

At peak times the CPU load was hitting 12 on a 6-core VPS — that’s full saturation, every core maxed out. Even during so-called “normal” periods, the load averaged around 6. Memory looked reasonable, but swap was permanently full. The VPS felt like it was on the edge all the time, no matter how much tuning we did.

Then we turned our attention to WooCommerce VPS bot attacks. That turned out to be 80% of the struggle — and 80% of the results. Once CSF and LFD were tuned properly and IPSET was enabled, everything changed. CPU dropped to a steady 0.5–1.0 load. Swap cleared. Memory use stabilised. Suddenly the server was quiet, predictable, and responsive, even when handling customer traffic. The same VPS that looked like it was “too small” a few weeks earlier now had plenty of headroom.

Why This Matters for Your Business

For many businesses, website performance isn’t just about loading speed for customers — it’s also about the experience of the people managing the site every day. In our case, two of our WooCommerce sites each hold around 17,000 products, with another ten WooCommerce sites running on the same VPS. That’s a serious workload, and if the server is already under pressure from bots, simple admin tasks like updating prices or managing stock can feel painfully slow.

Before we controlled the bots, that’s exactly what happened. Adding or editing products in the back-end could lag badly. Imports stalled. Even routine updates were frustrating. Once CSF, LFD, and IPSET were fully configured, the change was dramatic. Not only were customer-facing pages faster, but the WordPress dashboards across all sites became much more responsive. Suddenly, managing 17,000+ products in WooCommerce felt realistic instead of overwhelming.

It’s important to put this in context. Cron synchronisation, SQL optimisation, and PHP-FPM tuning were all valuable steps — they smoothed things out and reduced some overhead. But in practice, controlling WooCommerce VPS bot attacks was about 80% of the struggle, and gave 80% of the performance gain. Without that, the other optimisations could only go so far.

Key Takeaways & What to Do Next

The lesson here is simple: don’t assume slow WooCommerce sites always mean you’ve outgrown your VPS. More often than not, it’s WooCommerce VPS bot attacks chewing through your resources. By using CSF, LFD, and especially IPSET, you can stop the noise, reclaim performance, and give your real customers a faster experience.

If you’re managing multiple WooCommerce sites or large product catalogues — like our two stores with 17,000 products each plus ten more Woo sites — the difference is night and day. Backend tasks speed up, front-end performance improves, and your VPS finally delivers the service you paid for.

The right order matters too. Start with server tuning (cron sync, SQL, PHP-FPM pools), but understand that blocking bots is the biggest win. In our case, it solved 80% of the performance struggle and gave 80% of the results.

About the Author

This article was written by Keith Rowley, founder of Sydney Business Web. Keith is a former professional engineer and systems engineer, with decades of experience defining and solving complex problems. He now applies that same discipline to building high-performance WooCommerce hosting environments for Australian businesses.

Keith is also an advanced user of AI, leveraging it to streamline processes and deliver better outcomes for clients — from smarter hosting setups to effective web strategies. His goal is simple: give businesses the confidence that their websites are fast, secure, and reliable, without wasting money on unnecessary upgrades.

References: :Cloudflare: What is bot management? | How bot managers work

References: :Arkose Labs: What Are Bot Attacks & How to Stop Them